MBR worm ‘hitting computers worldwide’

Dubai, January 27, 2010

Eset, a global provider of security solutions for enterprises and consumers, has sent out a warning that a new worm that overwrites the master boot record (MBR) on all available drives is targeting computers worldwide.

Initially perhaps conceived as a prank targeting a small community of bikers in central Slovakian region, the worm Win32/Zimuse.A and Win32/Zimuse.B has achieved worldwide notoriety, said a statement.

It is a type of threat that overwrites the MBR with its own data, making the data stored on the user’s computer inaccessible. Moreover, the restoration of the corrupted data is complicated, requiring specialized software or a provider.

Since the worm’s inception, ESET has detected it on hundreds of computers of its users. Initially after the outbreak, only users in Slovakia were affected – accounting for over 90 per cent of all infections.

Presently, the greatest number of infected computers is in the US, followed by Slovakia, Thailand and Spain, followed with Italy, Czech Republic and other European countries.

The worm uses two ways to spread – either via embedding in legitimate websites, in the form of a self-unpacking ZIP file or as an IQ test program, or via exchangeable media, such as USB devices.

The fact that it relies on USB devices to propagate is responsible for its rapid dissemination, which is likely to increase even further.

To date, the worm’s two variants - Win32/Zimuse.A and Win32/Zimuse.B differ in the method of spread and the timing of activation. While the A-variant needs 10 days to start spreading via USB devices, its B- variant needs only seven days since infiltration.

Moreover, the time needed for the execution of the destructive routine is shortened in the B-variant from the original 40 days to 20.

Moreover, if the right removal method is not used, the worm shifts to its destructive mode. This is similar to making the right choice on which wire to cut, and in what sequence in a bomb-defusing operation, the statement said.

The infiltration does not posses a degree of sophistication that would encrypt the data on the disk; instead it was designed to corrupt the MBR (Master Boot Record) of physical disk drives.